We challenge you... to respond... then we'll authenticate ya! That's right, we're getting into Challenge Response Authentication. Plus Two-Factor Authentication for SSH using the Google Authenticator, and how not to lock yourself out of your own workstation. All that and more, this time on Hak5!

Challenge Response Authentication

Used in the 80's and 90's for copy protection (Wolfenstein SoD example)

DRYAD Example

Used for Authentication or Encryption by US military

Keyboard Interactive is define in an Internet-draft to the IETF two Googlers in 2004 describe "Generic Message Exchange Authentication for SSH"

Example of Lame-Ass-Challenge-Response-Authentication

Client initiates connection to server

Server asks for password

Client tells server password

Server lets client connect, they become BFF

Eavesdropping hacker now knows password

One-way hash

Takes input, returns hash value

Finding input from hash value is "computationally infeasible"

Popular funcations include MD5, SHA

Example of proper Challenge-Response Authentication

Client initiates connection to server

Server "challenges" client by sending a random number

Client "responds" by using one-way hash to compute random number + password, sends result

Server uses same one-way hash to compute random number + password, verifies result

If result matches, client and server become BFF

Eavesdropping hacker now knows a random number and a the resulting hash from said random number + the password :-(

Weaknesses in CRA

If a challenge is used more than once, the hacker can simply replay the hash